How can I allow only certain file types to be uploaded to my Amazon S3 bucket?

2 minute read

I want only certain file types to be stored on my Amazon Simple Storage Service (Amazon S3) bucket. How can I limit uploads so that my bucket accepts only those file types?

Resolution

Add statements to your bucket policy that do the following:

Allow the s3:PutObject action only for objects that have the extension of the file type that you want.
Explicitly deny the s3:PutObject action for objects that don't have the extension of the file type that you want.
Note: This explicit deny statement applies the file-type requirement to users with full access to your Amazon S3 resources.

For example, the following bucket policy allows the s3:PutObject action to exampleuser only for objects with .jpg, .png, or .gif file extensions:

Warning: This example bucket policy includes an explicit deny statement. If a user doesn't meet the specified conditions, even the user who enters the bucket policy can get denied access to the bucket. Therefore, you must carefully review the bucket policy before saving it. If you've accidentally locked the bucket, then see I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?

{
  "Version": "2012-10-17",
  "Id": "Policy1464968545158",
  "Statement": [
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:user/exampleuser"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.png",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.gif"
      ]
    },
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "NotResource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.png",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.gif"
      ]
    }
  ]
}

Note:

For the first Principal value, list the Amazon Resource Names (ARNs) of the users that you want to grant upload permissions to.
For the Resource and NotResource values, make sure to replace DOC-EXAMPLE-BUCKET with the name of your bucket.
When you specify resources in the bucket policy, the bucket policy evaluation is case-sensitive. A bucket policy that denies s3:PutObject actions for NotResource "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg" will allow you to upload "my_image.jpg". However, if you try to upload "my_image.JPG", Amazon S3 will return an Access Denied error.

Topics

Storage

Relevant content

Access denied when trying to GET objects uploaded to s3 bucket via aws sdk using cloudfront
InfinityString
asked a year ago
How to upload dynamically generated file to S3 bucket using lambda with PHP?
sp5398
asked 6 months ago
How to exacute virus scan before uploading the file to the S3 bucket
AWS-User-7738938
asked 9 months ago
How to block all file types other than ZIP on an S3 Bucket
rePost-User-1230162
asked 6 months ago
Access denied when trying to GET objects uploaded to s3 bucket via aws sdk using cloudfront
Accepted Answer
InfinityString
asked a year ago
How can I grant a user Amazon S3 console access to only a certain bucket or folder?
AWS OFFICIALUpdated 8 months ago
Why can't I access a specific folder or file in my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
I want my S3 bucket to store only objects encrypted by my KMS key. How can I do that?
AWS OFFICIALUpdated 5 months ago
Why can't I load website content uploaded to my Amazon S3 bucket from another AWS account?
AWS OFFICIALUpdated 2 years ago
Configure CORS in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published 2 months ago

How can I allow only certain file types to be uploaded to my Amazon S3 bucket?

Resolution

Related videos

Relevant content